Hello,
I am using MQTT library with OpenSSL support as given in below link:
https://github.com/tuanpmt/esp32-mqtt
In this library it does not use any x509 certification or private key structure for SSL. So I am confused little bit. Is it called secure connection without using any certificate as working of above mentioned MQTT library.? or OpenSSL library manages internally.? Even in the IDF OpenSSL library source code it does not use any API like SSL_CTX_use_certificate().
Can anybody help me in this.?
Thanks.
MQTT with OpenSSL, Is it secure connection without using any certificate or private key..?
-
- Posts: 62
- Joined: Wed Apr 19, 2017 6:35 am
-
- Posts: 64
- Joined: Tue Jan 10, 2017 1:09 pm
Re: MQTT with OpenSSL, Is it secure connection without using any certificate or private key..?
Hi
if you act as a client (connect to a MQTT broker) you don't need a certificate if the MQTT broker doesn't explicitly require it (mutual authentication or SSL client authentication). When you connect, you receive the SSL server certificate of the broker and this is used to "secure" the channel.
So basically yes, the channel is secure (encrypted) even if you don't "own" a certificate... but if you don't perform any certificate verification (pinning) someone could be able to redirect your connection to a malicious MQTT broker and receive your data. This is the reason why they normally suggest to verify the the certificate you receive to be sure that the MQTT broker you're connecting to is the "real" one.
bye
if you act as a client (connect to a MQTT broker) you don't need a certificate if the MQTT broker doesn't explicitly require it (mutual authentication or SSL client authentication). When you connect, you receive the SSL server certificate of the broker and this is used to "secure" the channel.
So basically yes, the channel is secure (encrypted) even if you don't "own" a certificate... but if you don't perform any certificate verification (pinning) someone could be able to redirect your connection to a malicious MQTT broker and receive your data. This is the reason why they normally suggest to verify the the certificate you receive to be sure that the MQTT broker you're connecting to is the "real" one.
bye
-
- Posts: 62
- Joined: Wed Apr 19, 2017 6:35 am
Re: MQTT with OpenSSL, Is it secure connection without using any certificate or private key..?
Hi Kurtzweber,
Its very helpful information,Thanks.
Its very helpful information,Thanks.
Who is online
Users browsing this forum: No registered users and 126 guests